Google Expands Its Bounty Program to Include 3rd-Party App Bugs, Data Privacy Violations

Google has dramatically expanded its bug bounty program to include non-Google Android apps in Google Play with 100 million or more installs, as well as data privacy issues in any app. Google will work with developers' own bug/vulnerability bounty programs, but will pay out bounties in addition to those of developers. Google will also use reports of security vulnerabilities through the new program to improve its automated scanners that look for security issues in all apps uploaded to the Play Store. Google is also starting a new program called Developer Data Protection Reward Program (DDPRP) that will offer similar rewards for people who find proof that an app in the Play Store is violating Google's policies on data privacy. Google will pay up to $50,000 to people who identify situations where user data is being used or sold unexpectedly, or repurposed in an illegitimate way without user consent.